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Executive summary 


Background & Scope 


Under Data Protection Act 2018 Section 123(1), the Information Commissioner 
produced a code of practice on standards of age appropriate design, the Age 
Appropriate Design Code (AADC). The AADC applies to “relevant information 
society services which are likely to be accessed by children” in the UK. This 
includes many apps, programs, connected toys and devices, search engines, 
social media platforms, streaming services, online games, news or educational 
websites and websites offering other goods or services to users over the 
internet. It is not restricted to services specifically directed at children. 


The AADC sets out 15 headline standards of age appropriate design that 
companies need to implement to ensure their services appropriately safeguard 
children’s personal data and process children’s personal data fairly. The AADC 
came into force on 2 September 2021. 


More widely, the Information Commissioner is also responsible for enforcing and 
promoting compliance with the UK General Data Protection Regulation (UK 
GDPR), the Data Protection Act 2018 (DPA18) and other data protection 
legislation. Section 129 of the DPA18 allows the ICO to carry out consensual 
audits. The ICO sees auditing as a constructive process with real benefits for 
controllers and so aims to establish a participative approach. 


Gameforge 4D GmbH — hereafter Gameforge — agreed to a consensual audit of 
the measures, processes, and policies they have in place to demonstrate 
conformance with the AADC and compliance with data protection legislation. 


The purpose of the audit is to provide the ICO and Gameforge with an 
independent assurance of the extent to which Gameforge, within the scope of 
this agreed audit, is complying with the AADC and data protection legislation. 


The scope areas covered by this audit are determined following a risk based 
analysis of Gameforge’s processing of UK children’s personal data. The scope 
may take into account any data protection issues or risks which are specific to 
Gameforge, identified from ICO intelligence or Gameforge’s own concerns, and/ 
or any data protection issues or risks which affect their specific sector or 
organisations more widely. The ICO has further tailored the controls covered in 
each scope area to take into account the organisational structure of Gameforge, 
the nature and extent of Gameforge’s processing of UK children’s personal data, 
and to avoid duplication across scope areas. As such, the scope of this audit is 
unique to Gameforge. 
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It was agreed that the audit would focus on the following areas: 


: Governance, Policies, Transparency, and Rights 
: DPIAs and Best Interests of Children 

: Data Minimisation and Sharing 

: Age Assurance 

: Detrimental Use of Personal Data 

: Default Settings 

: Parental Controls 

: Geolocation 

I: Profiling 

J: Nudge Techniques 


XIQOMmMmMnooOWS 


Audits are conducted following the Information Commissioner’s data protection 
audit methodology. The key elements of this are a desk-based review of 
evidence documentation including selected policies and procedures, and virtual 
interviews with selected key staff. 


Where opportunities were identified, recommendations have been made to 
facilitate conformance with AADC code standards and improve compliance with 
data protection legislation. In order to help Gameforge understand its 
obligations, we have used the following format in the report: 


- Where we use “must”, this means that the law requires Gameforge to 
take action to meet a legal requirement. 

- Where we use “should”, this isn't a legal requirement but is what we 
expect Gameforge to do to comply effectively with the law. Gameforge 
should follow this unless there is a good reason not to. If Gameforge takes 
a different approach, it must be able to demonstrate that this complies 
with the law. 

- Where we use “could”, this refers to an action that Gameforge may want 
to consider to improve its compliance or adopt good practice. 


These priorities are assigned based upon the ICO’s assessment of the risks 
involved. Gameforge’s priorities and risk appetite may vary and, therefore, they 
should undertake their own assessments of the risks identified. 
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Overview of System and Data Processing 


Gameforge is a video games publisher and developer that is headquartered in 
Karlsruhe, Germany. Gameforge was founded in 2003 and publishes around 15- 
20 online games, most of which are Massively Multiplayer Online Role Play 
Games (MMORPGs). Gameforge games are played on PC and can be accessed 
across the world via the user's browser, the Gameforge launcher, or popular 
third party platforms. 


Gameforge is a member of the ‘Unterhaltungssoftware Selbstkontrolle’ (USK) 
which is Germany's self-regulation body for entertainment software. The 
majority of Gameforge games are rated as suitable for children aged 0-12 years, 
however it was reported that this is due to the absence of more adult content or 
high risks to children rather than active targeting of child users. Gameforge has 
assessed that its games are unlikely to appeal to younger children as — although 
its games include fantasy elements/ animation styles — gameplay involves 
complex high-strategy roleplay mechanics that requires users to make quick 
tactical calculations and optimise character development. 


Gameforge does not collect any user data to confirm their ages or identify child 
users, and subsequently has chosen to apply high privacy and data protection 
safeguards to all users — including UK child users — by implementing 
pseudonymisation of all user account data and high security standards, and not 
implementing higher risk processing activities such as location tracking or 
profiling. 


Gameforge has also adopted a privacy-by-design approach and embedded data 
minimisation throughout the organisation, which is subject to oversight from the 
Data Protection Officer and Legal team. Gameforge’s ethos is to maintain the 
lowest privacy risks to users. 


Audit Summary 


Overall Assurance Rating Overall Opinion 


There is a reasonable level of assurance that 
the organisation conforms with the AADC 
standards and processes are in place to 
deliver data protection compliance. The audit 
has identified some scope for improvement in 
existing arrangements to reduce the risk of 
non-conformance with the AADC and 
subsequent non-compliance with data 
protection legislation. 


*The assurance rating above is reflective of the remote audit methodology deployed at this time and the rating 
may not necessarily represent a comprehensive assessment of compliance. 
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Opportunities for Improvement 


Privacy information must include sufficient detailed information about specific 
instances of processing, their purpose and lawful basis, and retention 
arrangements. Privacy information should be provided in a format that is age- 
appropriate and understandable to UK child users, supported by user testing to 
confirm that users are fully informed how their personal data is processed. 


DPIAs should clearly record consultation with key stakeholders, feedback/ 
approval from the management board, and change history or evidence of 
periodic reviews. Privacy risks identified in DPIAs should be subject to 
appropriate risk management oversight, and evidence that mitigating controls 
are fully in place and effective should be checked before processing begins and 
periodically thereafter. 


An assessment should be undertaken to consider and document the potential 
ages of users, which can be achieved non-intrusively by using anonymous or 
aggregated data such as market research, indicative analytics from social media/ 
streaming platforms, or optional in-game surveys. 


Gameforge’s approach to conforming with specific AADC code standards should 
be documented and regularly reviewed, specifically in regards to default 
settings, parental controls, geolocation, profiling, and nudge techniques. 
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Good Practice 


Five members of Gameforge’s Legal team have attained Data Protection Officer 
(DPO) certification. Two of them additionally have Youth Protection Officer 
certifications; both are formally appointed Youth Protection Officers of 
Gameforge and can be reached by email to assist users and parents with youth 
protection matters. Additionally Gameforge has an external and formally 
appointed DPO who is regularly consulted by the Legal Team to minimise blind 
spots and who can be reached by users and parents by email. This means that 
any member of the Legal team can complete tasks in all data protection areas 
which enables good business planning and continuity. 


Gameforge has made two members of the Legal team who have a DPO 
certification key signatories to the company accounts and new/ changed 
contracts. This means that at least one of them must sign in advance before a 
second signature by a member of the management board is made in order to 
ensure that new or changes to personal data processing have to be reviewed by 
DPO certified personnel and where deemed necessary discussed with the 
formally appointed DPO and Youth Protection Officers. 


Gameforge does not use personal data to promote or market third party 
products or services to users, and Gameforge online services do not include any 
third party advertising. 


Gameforge has implemented prompts within its 'Aion' game that encourages 
users to take a break from continuous/ excessive play, and automatically 
disconnect a user after 24h of continuous play. 


Gameforge process geolocation only to country level using the user IP address, 
which after a period of seven days is permanently redacted and hashed in 
Gameforge databases in such way that hash functions are changed daily and 
after a further period of 180 days the hash function cannot be reconstructed. 
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Disclaimer 


The matters arising in this report are only those that came to our attention during the 
course of the engagement and are not necessarily a comprehensive statement of all the 
opportunities for improvement. The responsibility for ensuring that there are adequate 
risk management, governance and internal control arrangements in place rest with the 
management of Gameforge. 


We take all reasonable care to ensure that our report is fair and accurate but cannot 
accept any liability to any person or organisation, including any third party, for any loss 
or damage suffered or costs incurred by it arising out of, or in connection with, the use 
of this report, however such loss or damage is caused. We cannot accept liability for loss 
occasioned to any person or organisation, including any third party, acting or refraining 
from acting as a result of any information contained in this report. 


This report is solely for the use of Gameforge. The areas covered have been tailored to 
this engagement and, as a result, the report is not intended to be used in comparison 
with other ICO reports. 
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